585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c

General

Target

585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Size

78KB
MD5

4ac5734609a61c9d9bd4be065b3f8686
SHA1

462ae637b528e8538c2926b01f7b368a98a9d40b
SHA256

585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c
SHA512

9acf8cf3871fbe9931cb575a7507822e380037e486140fd789d79373af6caf4628ec499e0785008669a84ae667d8774fae07ceccdd09a57e92c4b323cd3e5192
SSDEEP

1536:CVPWV53AlGmWw644txVILJtcfJuovFdPKmNqOqD70Gou2P2oYe9Qtd679/fz1/0:YPWV53AtWDDILJLovbicqOq3o+nk9/f2

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2472	tmpA9F5.tmp.exe

Loads dropped DLL 2 IoCs

pid	Process
1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\caspol.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\InstallMembership.exe\""	tmpA9F5.tmp.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tmpA9F5.tmp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
Token: SeDebugPrivilege	2472	tmpA9F5.tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1788 wrote to memory of 2380	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	30
PID 1788 wrote to memory of 2380	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	30
PID 1788 wrote to memory of 2380	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	30
PID 1788 wrote to memory of 2380	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	30
PID 2380 wrote to memory of 2148	2380	vbc.exe	32
PID 2380 wrote to memory of 2148	2380	vbc.exe	32
PID 2380 wrote to memory of 2148	2380	vbc.exe	32
PID 2380 wrote to memory of 2148	2380	vbc.exe	32
PID 1788 wrote to memory of 2472	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	33
PID 1788 wrote to memory of 2472	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	33
PID 1788 wrote to memory of 2472	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	33
PID 1788 wrote to memory of 2472	1788	585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe	33

C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
"C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\lin-5f_6.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESAB8C.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcAB8B.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- C:\Users\Admin\AppData\Local\Temp\tmpA9F5.tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmpA9F5.tmp.exe" C:\Users\Admin\AppData\Local\Temp\585a643b981150c968866414f414b46ab2984fb2c02aad2364b6d6be8e4eec2c.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\RESAB8C.tmp

Filesize
1KB

MD5
259df75ffeaa6719b917cf6bca3e7372

SHA1
bbd02d8d744b5d46a1b2cfae3e60bfb0d1354f2f

SHA256
03498b2fa5c42a4404abcf8a36ce3b522512fbb6d6751c4a1e21c3aab4251a49

SHA512
da8bb8d7a85a69514b301a40e9bacacea2a4a871c73fac5b618ecb96617b727ff864b32caf54e3798e9b972b4b082d5d6bc0652ad7b718f2c3bdd838a76d7504

Download Submit
C:\Users\Admin\AppData\Local\Temp\lin-5f_6.0.vb

Filesize
14KB

MD5
7d4935dae64f0dcc50465bcbc653a6db

SHA1
a52ca36eadcc5c4adbb76be3c5fa5a680e79affd

SHA256
b9cc8dbea3f7a6c986542c385f782d46c72b099cebca26341c3035fb692f9393

SHA512
e232f2d79b94b497a3fba3b131b945f29b03b0079763478ed191ec2d5f8a06934b18431fd3ef9f49afc603546c397f9bcbf661862dc041967dff94b76ede0c48

Download Submit
C:\Users\Admin\AppData\Local\Temp\lin-5f_6.cmdline

Filesize
266B

MD5
98b5ec4ca89dc90e59382d389082b16e

SHA1
131c72191dcc59f40abe75b7b208df0efa8178c7

SHA256
e6deaa68aafc4e0d61e36da8da94138b2497fae27cde4bb293b5568d71e8df1f

SHA512
f70f81a3698ed50879f739745a55f0f4b696307a3bcde39a19b7957262cea8ea9dfc12732edbcbe42b1c032da744424e3a1022c032b72f4113b2337bd3159dd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA9F5.tmp.exe

Filesize
78KB

MD5
47b38e4308d7da4b0858ec583fb2bcac

SHA1
8e5064638f717acfbfea8bc26236e0a06e0abca5

SHA256
2829a39ffb6e68c99ce27f1fb4653378af7c14f3a2a88f85ed21495cffe2b9c3

SHA512
ae17688aef490b261378e28cb6fc3077412ef9cfe087f896249b404ee7a458d5d96d0b4081119de6da95aab1f9b4270459fa2cf4fa465ba9553f3c79f34c31f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbcAB8B.tmp

Filesize
660B

MD5
546c2022bd088edb0135635e2a40c9eb

SHA1
f74e2bccb55e88d9fb9385692ee2fcddc79593d4

SHA256
5578cf03696224a96eeb59db1fe4dc9881c110a9d07e393b29fae390e3586e02

SHA512
e0dd250c23c3e6ed0dee7790ccbaba46db6303a36581e3e1bb645b406db468e9a7716c09a38c5c6cf5bf42b01faf9c30e2684acc06b2715097f0404c202f1b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\zCom.resources

Filesize
62KB

MD5
a26b0f78faa3881bb6307a944b096e91

SHA1
42b01830723bf07d14f3086fa83c4f74f5649368

SHA256
b43ecda931e7af03f0768c905ed9fa82c03e41e566b1dff9960afc6b91ae5ab5

SHA512
a0e9c2814fca6bcf87e779592c005d7a8eef058a61f5a5443f7cf8d97e2316d0cde91ed51270bbcc23ccf68c7fc4a321a5a95a4eed75cb8d8a45cb3aa725fb9c

Download Submit
memory/1788-0-0x0000000074CC1000-0x0000000074CC2000-memory.dmp

Filesize
4KB

Download
memory/1788-1-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-3-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/1788-23-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-8-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-18-0x0000000074CC0000-0x000000007526B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads